Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support capturing/tracing unix domain sockets with kprobe ebpf #225

Open
vakalapa opened this issue Apr 4, 2024 · 4 comments
Open

Support capturing/tracing unix domain sockets with kprobe ebpf #225

vakalapa opened this issue Apr 4, 2024 · 4 comments
Assignees
@FZhg
Labels
area/ebpf area/plugins help wanted Extra attention is needed priority/1 P1 type/enhancement New feature or request

Comments

@vakalapa
Copy link
Contributor

vakalapa commented Apr 4, 2024

Today Retina only watches for events from either tc prog or some drop reason kprobes, Retina should be watching for events of unix domain socket as well. This will need additional work to understand how to distinguish src and dest pod/container/process.

For starters, attaching to below kprobes:
kprobe/unix_stream_sendmsg
kprobe/unix_dgram_sendmsg
fentry/unix_stream_sendmsg
fentry/unix_dgram_sendmsg

Example:
https://github.com/Asphaltt/sockdump
@vakalapa vakalapa added type/enhancement New feature or request help wanted Extra attention is needed area/plugins area/ebpf priority/1 P1 labels Apr 4, 2024
@FZhg
Copy link
Contributor

FZhg commented Apr 13, 2024

Hi, I would like to work on this Issue. But I might need some time to figure out how to attach to the kprobe events. Could this be ok?

@rbtr
Copy link
Collaborator

rbtr commented Apr 14, 2024

That's okay, keep us updated 🙂
Assigned it to you, thanks for taking a look

@FZhg
Copy link
Contributor

FZhg commented Apr 23, 2024
edited

Hi, I have some initial thoughts about this feature. Essentially, this feature is to implement a UNIX domain socket plugin.

Metrics

Metric Name Description Extra Labels
unix_msg_count message counts for UNIX domain Socket direction, socket_type
unix_msg_bytes bytes count for UNIX domain Socket direction, socket_type

Label Values

Possible values for direction:

  • ingress (incoming traffic)
  • egress (outgoing traffic)

Possible values for socket_type:

  • SOCK_STREAM
  • SOCK_DGRAM
  • SOCK_SEQPACKET

Advanced Metrics

I need to find ways to enrich the flow without the IP addresses.

My plan is to implement the send_msg probes for the stream and datagram scoket first and then add more probes about receive_msg and seqpacket scoket later.

Dose this look like a good path? Thanks~

@vakalapa
Copy link
Contributor Author

@FZhg thanks for the update, I like this general direction for basic metrics. Are there any other labels we can add to the basic metric of unix_msg_count or unix_msg_bytes ?
for ex: is there a possibility to find the path/port of the unix domain communication as a label? this would help with some granularity on the data transfer until advanced with more details can be developed.

For advanced metrics, we will have to find a way to discover which cgroup or process is owning that socket send/recv and probably will have to enrich based on mapping of cgroup/process to pod.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@FZhg FZhg

Labels
area/ebpf area/plugins help wanted Extra attention is needed priority/1 P1 type/enhancement New feature or request
Projects
Retina Triage Board
Status: Accepted
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rbtr @vakalapa @FZhg